FYI - Document Dump: 40
Boxes of Ameriquest Mortgage Records Found in Dumpster - Police are
investigating how the personal files of 1,200 Ameriquest Mortgage
customers turned up in a dumpster at an Atlanta apartment complex.
FYI - Couple swarmed by
SWAT team after 911 'hack' - Teenager 'pranks' family two states
away, with near-disastrous results - A Washington state teenager is
facing 18 years in prison on charges that he used his PC to access
the Orange County, Calif., 911 emergency response system and
convinced the sheriff's department into storming an area couple's
home with a heavily armed SWAT team.
FYI - 90 percent of
websites vulnerable to attack - Nine out of 10 websites have
vulnerabilities open to attack, according to a new report by
WhiteHat Security. Cross-site scripting (XSS) is the No. 1 class of
vulnerability, impacting three-quarters of websites, according to
the company's third WhiteHat Website Security Statistics Report.
FYI - Phishers (almost)
scam grocery giant out of $10 million - Social engineers come close
to reeling in a big one - Apparently it's not just unwary
individuals that fall victim to online scammers. Even large
corporations, it seems, can get suckered into parting with their
money by devious phishers.
FYI - Audit criticizes
state agency for lax computer security - Several former employees of
the state Department of Revenue Services and other agencies still
had access to state computer networks after being fired or
voluntarily leaving their jobs, according to a new state audit.
FYI - Banks still
struggling with IT security - Strategy in short supply as banks
continue to rely on perimeter - Most banks rely too much on IT for
security and are overly confident in how effective security measures
can be, according to a survey of IT directors of top tier banks from
UK, France, Germany, Italy, Spain, Belgium, Netherlands and
FYI - Colorado Rockies
blame cyberattack for online ticket-sales outage - The Colorado
Rockies blamed a cyberattack for knocking their World Series online
ticket-sales operation out of the batter's box.
FYI - GAO - VA and DOD
Continue to Expand Sharing of Medical Information, but Still Lack
Comprehensive Electronic Medical Records.
FYI - Theft of Home
Depot laptop Puts 10,000 at Risk - Home Depot confirmed a company
laptop was stolen that contains personal information about
approximately 10,000 employees of the do-it-yourself retailing
FYI - Fasthosts
customer? Change your password now - Fasthosts, "the UK's number 1
web host", has fired off emergency emails telling customers to
change all their passwords after police were called in to
investigate a major data breach.
FYI - Official gave
private details to media in new leak shock - A SENIOR civil servant
has resigned after she was found to have improperly accessed and
passed on personal records of up to 40 individuals.
FYI - Office of
financial aid loses back up info - Iron Mountain Incorporated has
notified the Louisiana Office of Student Financial Assistance (LOSFA)
that it lost back-up media belonging to LOSFA on September 19, 2007.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
week begins our series on the FDIC's Supervisory Policy on Identity
(Part 3 of 6)
FDIC Response to Identity Theft
The FDIC's supervisory programs include many steps to address
identity theft. The FDIC acts directly, often in conjunction with
other Federal regulators, by promulgating standards that financial
institutions are expected to meet to protect customers' sensitive
information and accounts. The FDIC enforces these standards against
the institutions under its supervision and encourages all financial
institutions to educate their customers about steps they can take to
reduce the chances of becoming an identity theft victim. The FDIC
also sponsors and conducts a variety of consumer education efforts
to make consumers more aware of the ways they can protect themselves
from identity thieves.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue the series
from the FDIC "Security Risks Associated with the
Certificate Authorities and Digital Certificates
Certificate authorities and digital certificates are emerging to
further address the issues of authentication, non‑repudiation,
data privacy, and cryptographic key management.
A certificate authority (CA) is a trusted third party that
verifies the identity of a party to a transaction . To do this, the
CA vouches for the identity of a party by attaching the CA's digital
signature to any messages, public keys, etc., which are transmitted.
Obviously, the CA must be trusted by the parties involved,
and identities must have been proven to the CA beforehand.
Digital certificates are messages that are signed with the
CA's private key. They identify the CA, the represented party, and could even
include the represented party's public key.
The responsibilities of CAs and their position among emerging
technologies continue to develop.
They are likely to play an important role in key management
by issuing, retaining, or distributing public/private key pairs.
The implementation and use of encryption technologies, digital
signatures, certificate authorities, and digital certificates can
vary. The technologies
and methods can be used individually, or in combination with one
techniques may merely encrypt data in transit from one location to
another. While this keeps the data confidential during transmission,
it offers little in regard to authentication and
techniques may utilize digital signatures, but still require the
encrypted submission of sensitive information, like credit card
numbers. Although protected during transmission, additional measures
would need to be taken to ensure the sensitive information remains
protected once received and stored.
The protection afforded by the above security measures will be
governed by the capabilities of the technologies, the
appropriateness of the technologies for the intended use, and the
administration of the technologies utilized.
Care should be taken to ensure the techniques
utilized are sufficient to meet the required needs of the
institution. All of the
technical and implementation
differences should be explored when determining the most appropriate
the top of the newsletter
IT SECURITY QUESTION:
IT Steering Committee responsibilities:
a. Purchase of new computer equipment and software?
b. Reviewing IT examinations reports?
c. Reviewing internal and external IT auditing reports?
d. Hiring IT management personnel?
e. Recommendations to the Board for IT policy changes?
f. Reviewing IT security issues?
g. Reports to the Board of Directors?
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
1) Does the institution provide a clear and conspicuous
notice that accurately reflects its privacy policies and practices
to all customers not later than when the customer relationship is
established, other than as allowed in paragraph (e) of section four
(4) of the regulation? [§4(a)(1))]?
(Note: no notice is required if nonpublic personal information is
disclosed to nonaffiliated third parties only under an exception in
Sections 14 and 15, and there is no customer relationship. [§4(b)]
With respect to credit relationships, an institution establishes a
customer relationship when it originates a consumer loan. If the
institution subsequently sells the servicing rights to the loan to
another financial institution, the customer relationship transfers
with the servicing rights. [§4(c)])